Mobile devices such as smartphones, tablets and including wearable computing devices such as Google® Glass are vulnerable to being used by unauthorized individuals or impostors all the time. Whether it is a thief who steals it from a purse on a subway, a romantic partner checking text messages for signs of an affair, or a child looking to play games, mobile device users run serious risks when unauthorized users or impostors obtain access to such devices.
Various prior art and prior use mechanisms are utilized in mobile devices to protect against use by unauthorized individuals or impostors. For example, all smartphones have lock screens that are protected by a variety of mechanisms including PINs, passwords, gestures, and fingerprints. While lockscreens can provide significant protections when properly used, they can also degrade the usability of a device by inserting an unwanted step—the authentication step—between the user and their objective of using their phone at all times of the day and night. The burden is so significant that many users forego the protection of lock screens, as explained in “Beyond the pin: Enhancing user authentication for mobile devices” by S. Furnell, N. Clarke, and S. Karatzouni, Computer fraud & security, 2008(8):12-17, 2008; and “Authentication of users on mobile telephones—a survey of attitudes and practices” by N. L. Clarke and S. M. Furnell, Computers & Security, 24(7):519-527, 2005.
Even when users do enable these mechanisms, users may configure these mechanisms using weak credentials or so the device locks itself infrequently. Further, the protection provided is also incomplete, as some unauthorized users or impostors will know how to bypass the lock screen.
Implicit authentication mechanisms provide a solution to overcome these problems by allowing the mobile device to identify the user without the user doing any explicit authentication actions. Several researchers have proposed implicit authentication schemes for smartphones based upon how users interact with a touchscreen. Examples include the systems described in “Continuous mobile authentication using touchscreen gestures” by Feng et al, 2012 IEEE Conference on Technologies for Homeland Security (HST), pp. 451-456, 2012; and “Touchalytics: On the applicability of touchscreen input as a behavioral biometric for continuous authentication” by Frank et al, IEEE Transactions on Information Forensics and Security, vol. 8, no. 1, pp. 136-148, 2013. Systems such as the one described in “Behaviomobile: Applying the behaviosec technology for multilayered mobile security”, retrieved from http://behaviosec.com/wp-content/uploads/2012/10/whitepaper-behaviomobile.pdf attempt to ensure that the correct person is entering a password pattern or a Personal Identification Number (PIN).
Other schemes have been proposed based on how users hold the phone, such as the system described in “A new non-intrusive authentication method based on the orientation sensor for smartphone users” by C.-C. Lin, D. Liang, C.-C. Chang, and C.-H. Yang in 2012 IEEE Sixth International Conference on Software Security and Reliability (SERE), pages 245-252. IEEE 2012.
Other schemes have been proposed based on gait, such as the system described in Derawi, Mohammad Omar, et al. “Unobtrusive user-authentication on mobile phones using biometric gait recognition.” Intelligent Information Hiding and Multimedia Signal Processing (IIH-MSP), 2010 Sixth International Conference on. IEEE, 2010.
To date, however, commercially available prior art and prior use systems have offered only improved security guarantees, such as by ensuring the correct person is entering a PIN or password pattern, rather than the improved usability of a non-intrusive authentication system.
While results from these prior art systems show that it is possible to distinguish users using mobile device sensors and machine learning algorithms, these prior art systems do not use appropriate algorithms or the appropriate evaluation methodologies that are required for building and assessing a workable implicit authentication scheme.
There are several requirements for practical mobile device implicit authentication mechanisms, which will be discussed in the section titled “Requirements” below.
A swipe-based implicit authentication scheme that addresses the requirements is then set out in the section titled “Approach”.
Prior Art Approaches to Mobile Authentication
FIG. 1 illustrates a typical configuration for a mobile device. A mobile device such as mobile device 101 is coupled to network 102 using at least one communication technique known to those of skill in the art. Examples of communication techniques include Wi-Fi, LTE, 2G and 3G. A fraud reporting center 103 and an authentication server 104 are also coupled to the mobile device 101 via a network 102 that is implemented using one or more networking technologies known to those of skill in the art. Examples of these networking technologies include wired networks, wireless networks, optical networks, Local Area Networks (LAN), Campus Area Networks (CAN) and Metropolitan Area Networks (MAN). In some embodiments, network 102 is comprised of a plurality of networks and subnetworks.
Following the example of lock screens in desktop-oriented operating systems, mobile devices all include, at the very least, a text-based authentication option. Several factors specific to mobile devices make text-based authentication less usable and secure than on desktop or notebook computers. For example, modern smartphones primarily employ touch-based on-screen keyboards that require switching between multiple screens in order to access infrequently used characters and use text prediction to improve typing accuracy. Good passwords, however, are long strings of characters that cannot be easily predicted and include multiple infrequently used characters. Secure passwords are thus hard to enter on smartphones.
PINs are simpler to enter due to the larger, and fewer, buttons that are needed, and their shorter length. However, they are still not as easy to enter as on a physical keyboard. Furthermore, they are particularly easy for an attacker or impostor to observe, given their simplistic nature, by “shoulder surfing” or taking a video of a person typing in their PIN. Shoulder surfing is a significant problem as mobile devices are heavily used in public environments, places where an attacker/impostor can more easily observe PIN entry and steal a device.
A number of different approaches have been proposed to reduce the usability strain of text-based authentication mechanisms on mobile devices while maintaining high security. One popular alternative is a swipe pattern unlock screen, such as the standard Android pattern unlock interface. In the Android implementation, the password is an ordered series of connected points which the user connects by dragging their finger on the screen. While this is a usability improvement over text entry, the approach is still vulnerable to shoulder surfing by impostors, smudge attacks by impostors, as well as random guessing of common patterns.
Other solutions such as “SkipLock” created by B. Hirashima and described at http://benhirashima.com/skiplock/, retrieved Jun. 19, 2014, have focused on avoiding the use of authentication mechanisms by establishing trusted areas where the identity of the user can be established with high probability based on their location. For example, a user may configure their device to never ask for a password when it is within their home, which may be established by GPS coordinates, or when it is near a trusted computer, which could be determined via Bluetooth. Though this approach does increase usability by bypassing authentication in tightly bounded scenarios, it does nothing to increase either the usability or the security of authentication in public settings. Furthermore, it also does not help with the numerous non-traditional impostor attacks mobile devices are subject to, for example, a child playing a game on a parent's work phone or tablet.
Moving away from the traditional approaches to authentication described above, biometrics have become an increasingly popular mobile authentication mechanism, especially in the past year with the introduction of fingerprint identification to Apple® iOS® Security and more recently Samsung smartphones, such as described in http://www.samsung.com/global/microsite/galaxy5/features.html retrieved Jun. 19, 2014.
Many biometric approaches use static biometrics, in that they are based upon one or more characteristics of the human body that remains stable over time. For example, fingerprint scanners; facial recognition systems such as that described in http://www.android.com/about/ice-cream-sandwich/ retrieved Jun. 19, 2014; and eye scan-based authentication mechanisms such as that described in “EyeVerify. White Paper: Third-Party Verification of Eyeprint Accuracy,” April 2013 are all commercially available for smartphones. Static biometrics generally have high true positive rates (authorized users can easily unlock the device) and high true negative rates (unauthorized users are rejected).
There are two fundamental limitations of static biometrics, however. The first is that static biometric approaches require that the user take explicit action to authenticate themselves by exposing some part of their anatomy to a sensor. Such an explicit action will, in general, be a distraction from the user's primary task, and as such frequent authentication checks will be unacceptable to most users. The second is that static biometrics can often be mimicked by impostors using relatively simple techniques known to those of skill in the art, for example, a picture of a person's face to fool a facial recognition sensor; or a latex finger to subvert a fingerprint scanner. This mimicry is fundamentally hard to stop because the primary sensor used is, essentially, a camera, and there are many ways of fooling cameras, and there are many ways of obtaining a copy of the original person's biometric data, for example, gathering fingerprints left elsewhere on a device.
Furthermore, some static biometrics may persist even when the user has either been killed or seriously injured by an impostor, such as, for example, retina scans and fingerprint authentication. Liveness detection, such as checking for blinking in an image while doing facial recognition, are, in practice, insignificant barriers to attackers because these sensors can also be defeated using means known to those of skill in the art such as described in http://www.androidpolice.com/2012/08/03/android-jelly-beans-face-unlock-liveness-check-circumvented-with-simple-photo-editing/.
While mimicry attacks against static biometrics is a concern, of greater concern are the extra steps required for authentication using static biometrics. Explicit authentication actions, no matter how simple, introduce friction that users will want to minimize, if not eliminate. A trade-off for lower security is often perceived as being worth the cost, at least until a device is compromised.
Behavioral Biometrics
Biometrics in general distinguish users based upon invariants in “who they are.” As previously discussed, static biometrics are based upon invariants in physical characteristics. Dynamic biometrics, or more commonly behavioral biometrics, are based upon invariants in an individual's behavior. Generally this behavior is consistent because of subconscious factors affecting how human bodies operate. While some schemes are based upon characteristics that are primarily involuntary, such as                Heartbeats, as described in “Analysis of human electrocardiogram for biometric recognition” by Y. Wang, F. Agrafiooti, D. Hatzinakos, and K. N. Plataniotis in EURASIP journal on Advances in Signal Processing, 2008:19, 2008; and        Neural signals and other brain activity recorded in response to a specific visual or auditory stimulus using a system such as the ones described in “Pass-thoughts: authenticating with our minds” by J. Thorpe, P. C. van Oorschot, and Anil Somayaji in Proceedings of the 2005 workshop on New security paradigms (NSPW '05). ACM, New York, N.Y.; and “Biometrics from brain electrical activity: a machine learning approach” by R. Palaniappan and D. P. Mandic in Pattern Analysis and Machine Intelligence, IEEE Transactions on, 29(4):738-742, 2007.Most are based upon behavior that is under more conscious control.        
Behavioral biometrics can be grouped into three categories: continuous, secondary and task-based. With a continuous behavioral biometric, the behavior of the user is continually observed and modeled, with the system detecting abnormal usage patterns associated with unauthorized use on an ongoing basis. With secondary biometrics, user behavior is monitored only while performing a standard authentication task, such as a PIN entry. A task-based biometric is similar in spirit to a secondary biometric, except that any task can be observed and modeled, not just an explicit authentication task.
Behavioral biometrics are, in general, more challenging to develop and deploy than static biometrics because human behavior is fundamentally variable. Despite this, the accuracy can be comparable to that of static biometrics-based systems because behavioral biometrics can take advantage of many more observations than static biometrics, and can do so in ways that require no additional work from the user.
Behavioral biometrics have a long history, including, for example,                Keyboard typing patterns such as the system described in “Keystroke dynamics as a biometric for authentication” by F. Monrose and A. D. Rubin in Future Generation computer systems, 16(4):351-359, 2000;        Facial recognition such as the system described in “Face recognition: A literature survey” by W. Zhao, R. Chellappa, P. J. Phillips, and A. Rosenfeld in ACM Computing Surveys (CSUR), 35(4):399-458, 2003; and        Handwriting recognition such as the system described in “Online and off-line handwriting recognition: a comprehensive survey” by R. Plamondon and S. N. Srihari in Pattern Analysis and Machine Intelligence, IEEE Transactions on, 22(1):63-84, 2000.        
However there is a need to focus on behavioral biometrics that are easily observed during the course of normal smartphone usage, specifically behavioral biometrics that utilize three key smartphone sensors: the touchscreen, the accelerometer and the gyroscope.
Requirements
In this section, five key requirements seen as being essential to a secure and usable implicit authentication solution are detailed.
(1) Learn only on user data: While it is possible to get samples of simulated malicious behavior in a lab setting, a deployed behavioral biometric system will not have access to representative malicious behavior. It also won't have access to a representative set of other user behavior, except perhaps for offline tuning purposes. Thus a behavioral biometric should construct its model of a user's behavior based primarily (if not exclusively) on observations of that user. In machine learning terms, anomaly detection algorithms or one-class learning algorithms must be used. Many commonly-used machine learning algorithms are two or multi-class learning algorithms and therefore do not meet this requirement.
(2) Model stable observables: Within the framework of anomaly detection, it is easier to learn normal behavior if the space of possible behaviors is small. In the context of smartphones this requirement is challenging as smartphone sensors may produce a deluge of data. Further, the output of these sensors can be highly variable: for example, they vary widely depending upon the task the user is performing: navigation while driving, a tilt-controlled game, or email. In machine learning, the “curse of dimensionality” says that as the complexity of data increases, the more data is required in order to learn a model. For implicit authentication quick learning of models of user behavior and quick detection of anomalies are important. Effective implicit authentication systems, then, will filter or process their data such that they detect anomalies in “stable observables”—characteristics of the data which remain invariant, unique and act predictably over time. This points to a disadvantage of continuous behavioral biometrics, as these systems will have less stable observables than secondary and task-based ones, simply because continuous gathering of user behavior will inevitably mean the system will be observing the user is highly variable contexts. Therefore, known consistent phenomena which will generally produce consistent data for modeling purposes should be used.
(3) Employ lightweight, online learning algorithms: User behavior is expected to naturally change over time. Anomaly detection algorithms thus must run online so that they can constantly learn from newly observed behavior. This incremental online learning must also be computationally lightweight as it should not impose significant latency upon the user interface—the user should not have to wait for the device to decide whether an action is going to be allowed or not. Lightweight learning methods are made feasible by stable observables: the easier the learning problem, the simpler the method that can achieve good results.
(4) Be resistant to mimicry attacks: Mobile devices such as smartphones are often used in public places, where they may be lost or stolen. This means that mobile devices must consider an attack scenario not commonly considered in other authentication contexts, that is where an attacker or impostor is able to physically observe the authentication taking place. For this reason it is important for implicit authentication schemes to be resistant to mimicry, or imitation, attacks. A typical “something you know” authentication scheme, such as a pin or password, performs poorly on this metric, since the attacker/impostor observes the credential being inputted and is able to replicate it perfectly. Though shoulder surfing resistant mitigation techniques exist such as those described in “Shoulder surfing defence for recall-based graphical passwords” by N. H. Zakaria, D. Griffiths, S. Brostoff, and J. Yan in Proceedings of the Seventh Symposium on Usable Privacy and Security, page 6. ACM, 2011; these mitigation techniques typically gain this increase in security by compromising usability.
(5) Authentication should be non-intrusive: Security is almost always a secondary task for users. This means that it distracts from the main activity the user wants to accomplish, for example checking their email or responding to a text message. This is particularly true of authentication, which inserts itself directly between the user and the task they want to accomplish. One way to make authentication usable is to ensure it is non-intrusive—meaning that it is transparent to the user. An example of a transparent authentication system in a non-mobile context are SSH public keys. Rather than prompting the user to enter an explicit password when connecting to an SSH server, the system uses public key cryptography to automatically establish the user's identity. In a mobile context, an explicit authentication task such as entering a PIN or password is intrusive, hence the frequency of authentication requests must be minimized, for example, only performed when the device is woken up from sleep after 5 minutes of inactivity. Because secondary biometrics require explicit authentication actions such as PIN entry, these are considered to be relatively intrusive. In contrast, continuous and task-based behavioral biometrics tend to be non-intrusive.
Prior Art Behavioral Biometric Systems
Early works of prior art in behavioral biometrics-based implicit authentication in a mobile context are the systems described in:                “Implicit authentication for mobile devices” by M. Jakobsson, E. Shi, P. Golle, and R. Chow in Proceedings of the 4th USENIX conference on Hot topics in security, pages 9-9, USENIX Association, 2009; and        “Implicit authentication through learning user behavior” by E. Shi, Y. Niu, M. Jakobsson, and R. Chow in Information Security, pages 99{113. Springer, 2011.        
In these works, systems based on implicit authentication via observation of user behavior are described. These works model user behavior as the probability of seeing a particular event, such as a phone call to a certain number, conditioned on the time of day. This model is used to calculate an authentication score, which triggers a security event if the score drops below a threshold. The modeling is built only on observation of user data, which satisfies the first requirement above. However, since this is a continuous system, the space of user behavior is large and may not be stable. Additionally, since attack scenarios are tested by splicing data from other users into one user's data stream; thus they only test whether users can be distinguished, not whether they can imitate each other. Therefore it is unclear whether such a system is resistant to mimicry attacks by impostors.
In the system described in “Progressive authentication: deciding when to authenticate on mobile phones” by O. Riva, C. Qin, K. Strauss, and D. Lymberopoulos in Proceedings of the 21st USENIX Security Symposium, 2012, the motivation is to reduce the number of times a user is asked to authenticate. This is done by combining a number of sensors to establish a confidence that the device is in the possession of the correct user. For example, the microphone can be leveraged to do voice recognition, Bluetooth can be used to establish if the phone is near another trusted device, the camera is available for facial recognition, and more. Some of these tasks constitute stable observable tasks according to the second requirement. However, training some sensors, such as facial or voice recognition, is an inefficient and obtrusive task. Additionally, the system divides access to content on the device into three different security levels. More confidential content requires a higher confidence to access without explicit authentication than less confidential content. The system uses support vector machines (SVM) and decision tree models which train on multiple classes of user data, thus they do not meet our first requirement. Though the evaluation does include attack scenarios, the scenarios do not include scenarios concerning imitation by impostors. Therefore it is unclear whether such a system is resistant to mimicry attacks.
Other work which continues along the same lines is the system described in “Senguard: Passive user identification on smartphones using multiple sensors” by W. Shi, J. Yang, Y. Jiang, F. Yang, and Y. Xiong in Wireless and Mobile Computing, Networking and Communications (WiMob), 2011 IEEE 7th International Conference on, pages 141-148. IEEE, 2011, which aims to incorporate touch gesture recognition along with voice, gait and location information to identify users in a continuous way. The system uses one-to-many binary classifiers, which do not train only on user data and therefore does not meet the first requirement. These classifiers also cannot be updated continuously, which impacts their ability to learn efficiently. Since observation seems to be occurring at all times, it is difficult for the system to achieve stable observation. However the system does not consider imitation attacks by impostors, so therefore it is unclear whether such a system is resistant to mimicry attacks.
While the previously mentioned work performs continuous authentication by fusing data from multiple sensors together to make an authentication decision, other systems take a narrower focus. The system described in “Continuous mobile authentication using touchscreen gestures” by Feng et al in IEEE Conference on Technologies for Homeland Security (HST), pp. 451-456, 2012 uses touch information from the user performing common gestures combined with data from a sensor glove the user wears to discriminate between users. This system relies on classification algorithms such as decision trees and random forests, which do not train solely on a single class of user data. The evaluation does not include an analysis of imitation attacks by impostors, therefore it is unclear whether such a system is resistant to mimicry attacks. Furthermore, the best results were obtained using information from a specialized glove worn by the user to collect additional data, which appears intrusive.
The system described in “A new non-intrusive authentication method based on the orientation sensor for smartphone users” by C.-C. Lin, D. Liang, C.-C. Chang, and C.-H. Yang in Software Security and Reliability (SERE), 2012 IEEE Sixth International Conference on, pages 245-252. IEEE 2012 takes a similar approach. However the system focuses exclusively on the orientation of the device as the user performs a touch screen gesture, the hypothesis being that users hold their devices in a unique way. The training set for each user contains 450 samples, which is not conducive to fast learning. Since the system is not tested against imitation attacks by impostors, it is unclear whether such a system is resistant to mimicry attacks. However, the system does train only on a single class of user data, and authentication does occur transparently to the user.
The system described in “Silentsense: silent user identification via touch and movement behavioral biometrics” C. Bo, L. Zhang, X.-Y. Li, Q. Huang, and Y. Wang in Proceedings of the 19th annual international conference on Mobile computing & networking, pages 187-190. ACM, 2013 combines both touch behavior and small movements in the accelerometer and gyroscope over the course of a touch gesture to try and identify when a guest is using the device, which is not intrusive for the user. The system observes sequences of gestures to determine whether a new user is using the device. The system uses both one class and multi class learning, partially fulfilling the first requirement. However, monitoring occurs continuously during the operation of applications, which may not be a stable observable. Again, the use of multi-class learning impacts the ability of the algorithm to efficiently learn. The evaluation does include attackers or impostors using a legitimate user's device, however these are not explicitly imitation attempts—rather they are random attackers/impostors who do not have knowledge of the user's behavior. Therefore it is unclear whether such a system is resistant to mimicry attacks.
The system described in “Touchalytics: On the applicability of touchscreen input as a behavioral biometric for continuous authentication” by Frank et al, IEEE Transactions on Information Forensics and Security, vol. 8, no. 1, pp. 136-148, 2013 considers the characteristics of the touch gesture itself, extracting and analyzing features such as the velocity, starting and ending locations, and direction. The system uses authentication after observation of a single swipe, as well as after observation of a sequence of swipes. The work employs classification techniques which do not train solely on user data and which impact learning efficiency. Again, observation is continuous, and so may not be stable.